10 Cybersecurity Practices to Protect Your Business

5 Minute Read

Threats are mounting, but effective controls and regular education can reduce risks significantly.

According to a study released by IBM Security in July of 2019, the average cost to global businesses of a data breach is $2.92 million and has risen by 12% over the past five years. In the U.S., the average cost is much higher, at $8.19 million.1 Further, these numbers do not account for less quantifiable costs, such as reputational damage with clients and vendors, productivity loss or lower employee morale.

While the volume and complexity of threats continue to grow, experts agree that businesses can significantly reduce their exposure – and costs if a breach occurs – by following some well-vetted best practices for operating in the current threat environment. Below is a list of such practices, which begin with setting a strong governance framework and are underpinned by continual awareness and education.

Define your threats, assets and impact.

All cybersecurity programs must begin with a strong governance foundation; policies, standards, procedures and commitment from senior management are crucial building blocks for protecting data. A good way to begin this process is through performing a comprehensive analysis of the information ecosystem that needs protecting. This includes:

Outlining who might attack your business and identifying the potential types of impact.

To establish governance and create structure for your program, you need documented policies and procedures. The results of litigation, due diligence and outside audits will all rely on these documents. They will also support business resiliency.

When building or refreshing your program and its supporting documents, consider doing the following:

In addition to policies and procedures, operational plans – living documents that evolve with your organization’s growth and changing cyber trends – will also help strengthen your defenses. These plans are not one-size-fits-all but rather should combine company and industry specific add-ons with certain core components. An operational plan should allow you to prioritize both your short- and long-term cyber security plans and budgets and should consider the use of new systems, increases in business volume, and the addition of employees and new supplies.

Perform vulnerability assessments.

Vulnerability assessments identify weaknesses in your systems and should be conducted at least annually. They should cover your business and its supply chain and include both physical and cyber components. Using an outside firm to perform the review is highly preferred.

Use secure methods for sharing confidential information.

The protection of confidential information is critical to the continued success and protection of your business. Begin by identifying your most valuable and sensitive information, then establish controls to protect the information based on the risk associated with unauthorized access or loss. Below are some of the most effective practices in this area:

Using encryption tools wherever possible, including for email distribution and file transfers

The more factors needed to login or perform other transactions related to your business, the lower the risk of a breach. These can often be put into place with minimal impact on speed and convenience. For financial transactions, use both multi-factor options and call back procedures.

Conduct a regular awareness and education program.

In order for your cybersecurity program to be effective, your employees need to understand it and stay informed about evolving threats. In addition to regular education with updated curriculum on the topics listed below, ensure that evolving threats are tracked and that your education program has the flexibility to keep your employees informed of new threats in addition to those that already exist:

Social media

Social engineering

Business Email Compromise (BEC)

Executive compromise emails/Whaling

Phishing emails

Device use

International travel

Public Wi-Fi

Back up critical data, and test recovery.

The presence of reliable recovery options, including not storing your backup data in the same location and server as your production data, will aid in mitigating the threats of a security compromise. Be disciplined in the creation, protection and testing of backups for critical data and technology systems.

Monitor systems and unusual activity.

Irregular network traffic, access patterns, physical activity, and the size and types of files leaving your business should all be closely examined. If possible, consider hiring an outside firm with specialized tools and resources to help you with this work. Also, be aware of legal restrictions against certain types of monitoring, particularly as it relates to your workforce.

While there is no foolproof solution to protecting your business against cyber threats, following the above best practices will position you among the best of your peers. For more information on how to protect both your business and family, visit the Northern Trust Security Center.

This information is not intended to be and should not be treated as legal, investment, accounting or tax advice and is for informational purposes only. Readers, including professionals, should under no circumstances rely upon this information as a substitute for their own research or for obtaining specific legal, accounting or tax advice from their own counsel. All information discussed herein is current only as of the date appearing in this material and is subject to change at any time without notice.

By clicking "Subscribe", I agree to the Northern Trust Terms & Conditions and Privacy Policy . I also agree to receive emails from Northern Trust and I understand that I may opt out of Northern Trust subscriptions at any time.

This information is not intended to be and should not be treated as legal, investment, accounting or tax advice and is for informational purposes only. Readers, including professionals, should under no circumstances rely upon this information as a substitute for their own research or for obtaining specific legal, accounting or tax advice from their own counsel. All information discussed herein is current only as of the date appearing in this material and is subject to change at any time without notice.

We use cookies to personalise content, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners. To learn more or change your cookie settings access our Cookie Policy. By continuing to browse this site you are agreeing to our use of cookies.